The state’s computer systems are at “high risk” of online attack, and a firm hired to secretly hack into agencies’ systems easily gained access to thousands of documents containing Coloradans’ sensitive personal information, an audit released Monday revealed.

The audit, conducted from February through November, found that 12 of 20 agencies had failed to submit plans outlining their computer system security measures to the state’s Office of Cyber Security as required by law.

And while there had been 43 cyber-security incidents reported to the office since 2006, auditors thought the number was higher, noting that some known incidents had not been reported.

Most alarming to lawmakers on the Legislative Audit Committee was the result of a “covert” test by a private security firm on state agencies.

“We conducted a penetration test of public agencies and found significant vulnerabilities throughout state government that allowed the assessment team to compromise thousands of records containing individuals’ confidential information, such as Social Security numbers, birth dates and income levels,” auditors wrote. “The assessment team also compromised several state networks and systems and identified hundreds of vulnerabilities in state systems.”

The bottom line: “Overall, we determined that the state is at high risk of a system compromise and/or data breach by malicious individuals, including individuals both internal and external to the state.”

Audit prompts response

Dara Hessee, chief of staff for the Governor’s Office of Information Technology, said state officials had taken immediate steps to eliminate system vulnerabilities as they were revealed during the audit process. Other issues are longer-term problems, and the office is working on those, including developing a software tool to expedite reports of security breaches, she said.

Hessee said the office “takes cyber security very seriously, and we intend to remedy the issues identified in the audit report as quickly as possible.”

Hessee said state officials have estimated it would take $40 million to implement an adequate cyber-security plan. Meanwhile, the office’s budget is about $400,000.

State Sen. Dave Schultheis, R-Colorado Springs, the chairman of the legislative panel, said it was disappointing so many state agencies had not fulfilled cyber-security requirements under the law.

“This really disturbs me,” Schultheis said.

Some of the results of the covert operation were so sensitive that lawmakers heard them in a closed session.

But even the public parts of the audit showed how easy it was to get into state systems.

In some cases, testers simply guessed obvious usernames and passwords, and in others, they used default usernames and passwords that system administrators never changed.

And testers found there were many other ways to access state computer systems, including “numerous IP addresses that appeared to be unused and that had ports open that were running unneeded and outdated services.

“Additionally, we identified a file-upload utility on one agency’s Web server that allowed us to upload malicious code and take full control of the server.”

Auditors determined that the Office of Cyber Security has no strategic plan or meaningful performance measures, and singled out its “lack of effective leadership.”

The Office of Cyber Security, which is under the Governor’s Office of Information Technology, said it was revamping its policies to, among other things, require agencies to comply in a more timely manner with cyber-security mandates.

Results stun lawmakers

The cyber-security office has developed a strategic plan establishing its mission, vision, goals, objectives and priorities, according to a release.

Previous audits have revealed weaknesses in the state’s cyber security. A 2008 audit showed driver’s license information did not have adequate safeguards.

And the audit Monday said “privilege misuse” allowed a Department of Revenue tax examiner to steal more than $10 million from the state. The employee was caught and later pleaded guilty to the theft.

Lawmakers on the audit committee said they were stunned by the latest audit.

“It’s scary,” said Sen. Lois Tochtrop, D-Thornton, vice chairwoman of the panel. “I’m very happy we did the audit so we can move forward to protect information.”

Schultheis said he was convinced information-technology officials had taken steps to bolster security, but he said more money may be needed to address the problem.

“I would hope that the Joint Budget Committee would allocate some significant dollars even in this difficult time to fund what is a definite necessity,” he said.

More in Politics

The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter.

Ford Motor Co. is going ahead with plans to move small-car production from the U.S. to Mexico despite President-elect Donald Trump’s recent threats to impose tariffs on companies that move work abroad.

Donald Trump’s administration, already seen as the wealthiest in modern history, is about to get even richer when Goldman Sachs Group Inc.’s Gary Cohn is named the president-elect’s chief economic policy adviser.

Former New York City Mayor Rudy Giuliani formally withdrew from consideration for a post in President-elect Donald Trump’s administration Friday, putting an end to his ill-fated bid to lead the State Department.